ProvenCore

ProvenCore is a formally proven OS kernel designed to help secure embedded devices based on application processors such as gateways, infotainement units, communication and mobile devices, etc. ProvenCore provides security architects with an off-the-shelf certifiable and ultra-secure Trusted Execution Environment (TEE) to build or reinforce the security architecture of their solution, whether for new or existing devices.

Why Use ProvenCore

Embedded devices are increasingly facing cybersecurity issues originating from the lack of robustness of their software stacks, with hackers exploiting bugs and weaknesses, in particular of Operating Systems. On one hand, devices are more connected than ever, through a variety of communication links: deeply embedded devices are now just one hack away from the Internet. On the other hand, they are required to carry increasingly sensitive industrial operations, involving cyber-physical systems or dealing with confidential and/or personal data, performing payment transactions, creating or forwarding valuable data while safekeeping their authenticity, etc. At the same time, time-to-market and cost pressures are unyielding, and designers need to use feature-rich OSs (Linux, Android, Windows, etc) that cannot be trusted and secured as such.

Prove & Run addresses these challenges with ProvenCore. ProvenCore is formally proven for security – down to the generated code. Applications running on ProvenCore are securely isolated from each other, from the applications running elsewhere on the same device and from the outside world. Therefore ProvenCore can be used to build an in-depth defense system for your device and to bring the level of resistance against attacks at an unmatched level. It is designed to integrate easily into new and existing devices and to provide a flexible and certifiable secure execution area for security sensitive applications. By bringing strong foundations, ProvenCore simplify the construction, maintenance and certification of secure embedded systems.

Use Cases

Thanks to the TrustZone™ security feature provided by ARM microprocessors, ProvenCore can run alongside an existing OS, transparently

ProvenCore is also compatible with hypervisors designed for the ARM Cortex-A family

ProvenCore is perfectly suited to create a “security perimeter”, transparently around any unsecured Rich OS. A few examples of potential applications running on ProvenCore:

VPN Client: Forcing applications to communicate with remote servers only through a secure VPN using specific certificates and options,

FIDO Client: Authenticating users using credentials never disclosed to the existing OS,

Application Firewall: Filtering high-level commands and responses between two applications or between an application and a remote server,

ProvenCore At a Glance

Ultra-secure TEE which enforces proven isolation (integrity and confidentiality) between processes, both on code and on data

Compatible with ARM application processors such as the Cortex-A family

POSIX-Compliant API makes porting or developing applications easy

Preemptive, deterministic, multitasking scheduler

Allows for time and cost controlled security certification processes even at the highest security levels, with easy maintenance

Available under flexible licensing terms

Formally Proven Security

ProvenCore uses a microkernel architecture implemented using formally proven code to get as close as possible to zero-defects, to guarantee the security properties and to ease the path to any required certifications. This architecture and these formal proofs insure the sustainability of the maintenance process of systems based on ProvenCore.

Most existing OS kernels (Linux, Windows, etc) rely on a monolithic architecture where every component of the kernel executes in “privileged mode”: the scheduler, the memory manager but also all the drivers for the peripherals. Such kernels are therefore quite large, from dozens of thousand lines of codes to millions. Any security bug in one of these components completely compromises the kernel. ProvenCore uses a microkernel architecture, where the software components executing in privileged mode are as small as possible (usually less than ten thousand lines), and additional components such as device drivers execute as conventional processes. A security issue in one of these components cannot propagate itself to the other components.

ProvenCore has been completely modeled in Smart and proven using ProvenTools, Prove & Run’s formal software development toolchain. This means that it is mathematically proven that processes running on ProvenCore will always retain their integrity (no other process can tamper with their internal data) and confidentiality (no other process can read their internal data). A misbehaving or malicious process has no practical way to modify a running process or to practically spy on another process.

Professional Services

In addition to ready-made security COTS such as ProvenCore, ProvenCore-M and ProvenVisor, Prove & Run offers a range of professional services to: